If someone is using an insecure wireless connection (for example a hot spot in a coffee shop) does it posse a threat even if the person is using a secure application layer protocol? What I mean by secure application layer protocol is https, sftp, ssh etc. In this article it claims credit card numbers can be compromised, but would this be the case even if using https?

If I connect to a non-password protected wireless signal and use the Facebook app on my mobile phone is it easy to get my Facebook password?

3 Answers
3

An attacker sharing the wireless network can definitely pose a threat even when you are apparently communicating securely.

There is a great commercial wireless penetration test tool titled Silica that can do much of what you alluded to (i.e. Passively hijack web application sessions for email, social networking and Intranet sites.).

Regarding Facebook or other mobile phone applications, it depends on the applications being properly configured to communicate securely over the network.

Facebook's Help Center states:

Facebook always posts to a secure page when users are logging in and employs industry standard encryption. This may not always be apparent from the URL (web address), but rest assured our logins are secure.

But that doesn't mean your active sessions are safe - you could also become a victim by accepting a rogue SSL certificate by any number of clever means, again, allowing an attacker full visibility.

I consider that the lack of answer to mean that the part about HTTPS was pure FUD.
–
curiousguyJul 24 '12 at 17:46

good question, I haven’t done such research, but the data here summarizes browser support from 2011 www9.atwiki.jp/kurushima/pub/pkimisc/…, though I guess a black swan can appear (twitter.com/ivanristic/status/8555011235). More interesting I imagine is all the custom mobile apps that connect via https to servers (devs forgetting they configured setValidatesSecureCertificate:NO and/or using null ciphers for debugging?)
–
Tate HansenAug 9 '12 at 7:57

nonethelesss, removed the content to make you happy curiousguy!
–
Tate HansenAug 9 '12 at 7:59

Whether or not your Facebook account in particular is vulnerable on an unencrypted Wi-Fi network greatly depends on how your Facebook app connects to the Facebook servers, even if it is using HTTPS.

Stil, there are other concerns to be mindful of on public Wi-Fi networks - encrypted or not. The best advice is to avoid these networks where possible. Use a VPN for your Internet access, if you must connect via public Wi-Fi.

If I connect to a non-password protected wireless signal and use the Facebook app on my mobile phone is it easy to get my Facebook password?

In short, the answer is it depends.

First, are you sure your phone's Facebook app uses HTTPS? If it doesn't, then your credentials and data are being sent in the clear.

Second, does the Facebook app use HTTPS only for login or does it handle all transactions through HTTPS? If the former, your session cookie is probably being sent in the clear - nearly equivalent to your login credentials.

Third, does the Facebook app support and use strong ciphers for its SSL/TLS connections? If not, the data may be as weakly protected (or worse) as if it was in the clear on a WEP network.

Fourth, does the Facebook app perform validation of Facebook's certificate before establishing a connection and will it give an error or refuse the connection if the certificate is invalid? If not, you could fall victim to a man-in-the-middle attack via an SSL proxy.

There are probably more weaknesses to consider that could still expose your Facebook credentials on an open wireless network, but the checklist above should help you avoid most attacks.

However, it should be noted that you are still putting your computer (or phone, tablet, etc.) in a more vulnerable state when connecting to any public network. At home, your first line of defense from untrusted systems is your router. Most routers have built-in firewalls, and their NAT functions also make attacks targeted at your system much more difficult. Once you've connected to a public network though, your system is locally reachable by every other system connected to that network - and, since the owners of these systems are total strangers, those systems are by nature untrusted.

That risk is essentially the same whether the public network is encrypted or not. Lack of encryption and/or authentication on the wireless network just means that the barrier for entry to it is effectively nil. I discuss this issue a little bit more in my answer regarding password-protected free Wi-Fi networks.

It is still worth stating that just because you're on a local network of untrusted systems, it doesn't mean that those systems have unfettered access to yours. Your system's local firewall and other protections still have to be compromised for that to happen. However, it does mean that users of those untrusted systems can break into yours much easier than a random hacker on the Internet.

All of these concerns can be greatly mitigated with a VPN that tunnels all network activity to your trusted provider, and does not allow your system to accept connections from others on the local network.

If someone is using an insecure wireless connection (for example a hot spot in a coffee shop) does it posse a threat even if the person is using a secure application layer protocol?

It should not - this is by definition of a "secure application layer protocol".

If a so called "secure application layer protocol" cannot be used over an insecure link, it just means it is not a secure protocol.

But some sites, like stackexchange.com, only offer HTTPS for the login phase (for password protection), when you are logged in you go back to HTTP, so your cookies travel in clear-text and someone else could use your SE account.

No e-banking should be designed that way, of course: e-banking, and e-commerce should be only done over HTTPS.

If the web-application sometimes uses HTTPS and sometimes reverts back to HTTP, the privacy and integrity of exchanges could be compromised.

If your browser implementation of TLS has flaws, it could be attacked.

If you accept unverified TLS certificates, the TLS session integrity can be compromised.

See also: BEAST

Regarding the referenced article

In fact, many internet service providers include a clause in your contract that holds you responsible for any illegal activities that occur on your connection.

The contract with your ISP does not define your legal responsibility for illegal activities. The law defines your legal responsibility.

The clause in the contract with your ISP ("you are responsible...") just says that the ISP will consider that any action against the ToS (Term of Service) using your connexion allows them to terminate the contract (they cannot prove it is you who initiated this particular action, and they do not care).

Also, once an intruder has access to your home network, they have access to everything you have stored on any computers on that network and anything you do online.

This is utterly wrong and just absurd. Access to a network does not imply access to every file on every computer connected to the network. Or any Internet connected computer would be open to every other Internet connected computer.

An intruder, once inside can access your tax documents, financial records, online banking information, credit card numbers, emails, usernames and passwords, and even where you are going online.

While the cited portions of the article regarding access to data on your home network are slightly exaggerated, they're not to be completely ignored. Systems on the local network would have a much easier time obtaining access to your system and/or your network traffic than any system on the Internet. Also, while you may not ultimately be held responsible for the activities of malicious users on your network (this may vary by jurisdiction), you could still find your door broken down by a SWAT team before they figure out you're not the hacker/terrorist they're looking for. It's happened.
–
IsziJul 18 '12 at 14:49

@Iszi "While the cited portions of the article regarding access to data on your home network are slightly exaggerated, they're not to be completely ignored." "You are going a die horribly if you do that" articles are hardly helpful. "Also, while you may not ultimately be held responsible for the activities of malicious users on your network (this may vary by jurisdiction)," my point exactly: it varies by jurisdiction, not by ISP.
–
curiousguyJul 18 '12 at 20:54

"you could still find your door broken down by a SWAT team before they figure out you're not the hacker/terrorist they're looking for." I am not telling people to set-up an open Wifi AP. I think your comment is more useful than the linked article: it clearly points out a real issue.
–
curiousguyJul 18 '12 at 20:57

@Iszi "you could still find your door broken down by a SWAT team before they figure out you're not the hacker/terrorist they're looking for." This was not the subject at all. The question is about using a public AP, not setting-up one. I was merely pointing out that the linked article is very confused about legal issues ("ISP makes you responsible" part), so it should not be taken a reliable source. I was not telling people to open their own Wifi. (Or telling people to do anything other than disregarding silly articles.)
–
curiousguyJul 24 '12 at 20:30